[Ksummit-discuss] [CORE TOPIC] dev/maintainer workflow security
Steven Rostedt
rostedt at goodmis.org
Wed Jul 15 18:42:12 UTC 2015
On Mon, 13 Jul 2015 10:32:06 +0200 (CEST)
Jiri Kosina <jkosina at suse.com> wrote:
> On Sat, 11 Jul 2015, James Bottomley wrote:
>
> > > - personal security (keep commit credentials secure from theft)
> >
> > This second one is a bit of a red herring: Assuming you did steal my
> > credentials, how would you use them without being detected?
>
> If the credentials can be used both to push to ra.kernel.org and to access
> your "local" copy of the GIT repo (on your notebook / desktop / storage),
> I can just push the malicious commit (*) to both repos and you might not
> notice immediately (because you wouldn't get non-fast-forward hint from
> git).
Actually, I do development on a different box than I push with. Thus,
if someone did modify both that box and my korg repo, I would notice a
problem as soon as I push my development box to the box I push with.
Now the attacker would need to compromise that development box too.
-- Steve
More information about the Ksummit-discuss
mailing list